Most auditors don’t perform a test of controls? But should they? Below I explain when such a test is required. I also explain why some auditors choose to use this test even when not required.
Once risk assessment is complete, auditors have three further audit procedures they can use to respond to identified risks:
This article focuses on the third option.
Below you will see:
Which responses to risks of material misstatement are best? That depends on what you discover in risk assessment.
If, for example, your client consistently fails to record payables, then assess control risk for completeness at high and perform a search for unrecorded liabilities (a substantive procedure).
By contrast, if the internal controls for receivables are strong, then assess control risk for the existence assertion at less than high, and test controls for effectiveness. (You do, however, have the option to perform substantive tests rather than test controls, even when controls are appropriate. More about this in a moment.)
Many auditors assess control risk at high (after risk assessment is complete) and use a fully substantive approach. That is fine, especially in audits of smaller entities. Why? Because smaller entities tend to have weaker controls. As a result, controls may not be effective. Therefore, you may not be able to assess control risk at less than high.
Control risk assessments of less than high must be supported with a test of controls to prove their effectiveness. But if controls are not effective, you must assess control risk at high. This is one reason why you might bypass testing controls: you know, either from prior experience or from current-year walkthroughs, that controls are not effective. If your test reveals ineffectiveness, you are back to square one: a control risk assessment of high. Then substantive procedures are your only option. In such a situation, the initial test was a waste of time.
But if controls are effective, why not test them? Doing so allows you to reduce your substantive procedures. There is one reason, however, why you might not test controls even though they appear appropriate: substantive tests may take less time.
Once risk assessment is complete, your responses—the further audit procedures—are based on efficiency and effectiveness. If control testing takes less time, then use this option. If substantive procedures takes less time, then perform a test of details or use substantive analytics. But, regardless of efficiency considerations, address all risks with appropriate responses.
Suppose you’ve decided to test controls for effectiveness. But how? Let’s look at an example starting with risk assessment.
Your approach to testing controls depends on risk.
For example, suppose your billing and collections walkthrough reveals appropriate segregation of duties. You see that authorized personnel issue receipts for each payment received. Additionally, you determine that total daily cash inflows are reconciled by the collections supervisor to the online bank statement, and she signs off on a reconciliation sheet as evidence of this procedure. Lastly, you note that a person not involved in cash collections reconciles the monthly bank statement. In other words, controls are properly designed and in use.
Furthermore, you believe completeness is a relevant assertion. Why? Theft of incoming cash is a concern since the business handles a high volume of customer checks. If checks are stolen, cash collections would not be complete. Consequently, the inherent risk for completeness is high. The fraud risk is a significant risk which requires a test of details in addition to the test of controls.
Now it’s time to test for effectiveness.
Test the receipt controls on a sample basis. But before doing so, document the controls you desire to test and the sample size determinations. (See AICPA’s Audit Sampling standard, AU-C 530.)
The first control you are testing is the issuance of receipts by an authorized person and your sample size might be sixty.
The second control you are testing is the daily reconciliation of cash to the bank statement. For example, you could agree total daily receipts to the bank statement for twenty-five days. As you do so, you review the daily sign-offs on the reconciliation sheets. Why? The collection supervisor’s sign-off is the evidence that the control was performed.
The third control you are reviewing is the reconciliation of the bank account by a person not involved in the receipting process. So, you review the year-end bank reconciliation and confirm that the person that reconciled the bank statement was not involved in cash collections.
Once the tests are performed, determine whether the controls are effective. If they are, assess control risk for the completeness assertion at less than high. Now you have support for that lower assessment.
And what about substantive tests?
You need to perform a test of details since a significant risk (the fraud risk) is present. You might, for example, reconcile the daily total receipts to the general ledger for a month.
If your tests do not support effectiveness, expand your sample size and examine additional receipts. Or skip the tests (if you believe the controls are not effective) and move to a fully substantive approach. Regardless, if controls are not effective, consider the need to communicate the control deficiency to management and those charged with governance.
So, when should you test controls? First let’s look at required tests and then optional ones.
Here are two situations where you must test controls:
Let me explain.
Auditing standards allow a three-year rotation for control testing, as long as the area tested is not a significant risk. But if the auditor plans to rely on a test of controls related to a significant risk, operating effectiveness must be tested annually.
Also a test of controls is necessary if substantive procedures don’t properly address a risk of material misstatement. For example, consider the controls related to reallocation of investments in a 401(k). The participant goes online and moves funds from one account to another. Other than the participant, there are no humans involved in the process. When processes are fully automated, substantive procedures may not provide sufficient audit evidence. If that is your situation, you must test of controls. Thankfully, a type 2 service organization control report is usually available in audits of 401(k)s. Such a report provides evidence that controls have already been tested by the service organization’s auditor. And you can place reliance upon those tests. In most cases, substantive procedures can properly address risks of material misstatement. So this test requirement is usually not relevant.
We just covered the two situations when testing is required. All other control testing is optional.
Prior to making the decision about testing, consider the following:
As I said earlier, audit standards allow a three-year rotation for testing. For example, if you test accounts payable controls in 2020, then you can wait until 2023 to test them again. In 2021 and 2022, you need to ensure that these controls have not changed. You also want to determine that those controls have continuing relevance in the current audit. How? See if the controls continue to address a risk of material misstatement. And as you perform your annual walkthroughs, inquire about changes, observe the controls, and inspect documents. Why? You want to know that everything is working as it was in 2020, when the initial test was performed. And, yes, you do need to perform those walkthroughs annually, if that is how you corroborate your understanding of controls.
In short, testing for effectiveness can, in most cases, occur every three years. But walkthroughs are necessary each year. If you tested sixty transactions for an appropriate purchase order in 2020, then you can wait until 2023 to do so again. But review of the purchase order process each year in your annual walkthroughs.
So should you test controls at interim or after year-end?
Some auditors test controls after the period-end (after year-end in most cases). Others at interim. Which is best?
Perform interim tests if this fits better in your work schedule. Here’s an example: You perform an interim test on November 1, 2021. Later, say in February 2022, consider whether controls have changed during the last two months of the year. See if the same people are performing those controls. And consider performing additional tests for the November 1 to December 31 period. Once done, determine if the controls are effective.
Testing on an interim date is not always the answer. For example, if management is inclined to manipulate earnings near year-end, then interim tests may not be appropriate.
If you choose to test after period-end, then do so for the full period being audited. Your sample should be representative of that timeframe.
So should you ever test controls at a point in time and not over a period of time? Yes, sometimes. For example, test inventory count controls at year-end only. Why? Well those controls are only relevant to the year-end count, a point in time. Most controls, however, are in use throughout the period you are auditing. Therefore, you need to test those controls over that period of time (e.g., year).
As I said above, many auditors tend to rely fully on substantive responses to the risks of material misstatement. But, in some cases, that may not be the best or wisest approach. If controls are designed well and functioning, why not test them? Especially if it takes less time than substantive procedures.
Finally, take a look at my two related articles regarding responses to the risk of material misstatement: (1) Test of Details: Substantive Procedures and (2) Substantive Analytical Procedures: Power Up.
Get my free accounting and auditing digest with the latest content.
Charles Hall is a practicing CPA and Certified Fraud Examiner. For the last thirty years, he has primarily audited governments, nonprofits, and small businesses. He is the author of The Little Book of Local Government Fraud Prevention and Preparation of Financial Statements & Compilation Engagements. He frequently speaks at continuing education events. Charles is the quality control partner for McNair, McLemore, Middlebrooks & Co. where he provides daily audit and accounting assistance to over 65 CPAs. In addition, he consults with other CPA firms, assisting them with auditing and accounting issues.
Please log in again. The login page will open in a new tab. After logging in you can close it and return to this page.
Liew, if you know controls are not designed correctly, it would be a waste of time to test them or even do a walkthrough. Still, a walkthrough may provide evidence of other controls or compensating controls. You need to communicate the control weakness to management and those charged with governance, especially if there are no compensating controls.
If the design of internal control was ineffective (e.g., lack of segregation of duty), is the walkthrough test or testing on implementation still necessary?
Bob, if you are testing controls for effectiveness, you usually want to do so for the entire year. You can perform walkthroughs of earlier periods to see if you have risk, but once you decide to test for effectiveness, I would test the complete year.
Rebecca, the three year cycle relates to test of controls alone. Not sure about tests outside of financial statement audits. The three year cycle comes from U.S. Audit standards.
U.S. audit standards.
Which handbook section is the 3 year rotation from?
For quarterky controls, can you test Q2 and Q3 and opine at 12/31?
Would the 3 yr. cycle be appropriate for testing of controls by Risk Management (i.e., SLOD)? Also, what are your recommendations as to what should be the basis for developing a rotational cycle for control testing by SLOD for rotation cycle? This is year one of implementing a formal ERA and looking for insights to developing testing schedule (i.e., no controls have been tested for effectiveness (TOE). TOD is complete. Thank you!
Yes, you still need to perform your risk assessment work as a basis for planning the engagement.
Yes, walkthroughs are a part of your risk assessment. This helps you identify your risks before planning the audit. That information will provide you with the basis for your responses. Responses include testing controls for effectiveness, substantive analytics, and test of detail.
If you are testing controls, is doing a walk thru necessary?